- Total Prize Pool: $65,000 in USDC
- HM awards: $49,920 in USDC
- QA awards: $2080 in USDC
- Judge awards: $7,500 in USDC
- Lookout awards: $5,000 in USDC
- Scout awards: $500 in USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts April 26, 2024 20:00 UTC
- Ends May 17, 2024 20:00 UTC
⭐️ Note: NOYA platform will allocate 5% of all stars from the campaign to wardens who find valid vulnerabilities. This allocation will be proportional to their USDC rewards earned in the Code4rena competition, incentivizing thorough and diligent reviews of NOYA’s codebase.
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
This repo contains noya smart contract
Contracts
- Accounting manager : This contract is responsible for managing the deposits and withdrawals of the users, holding users shares as an ERC20 token and calculating its value based on a base token.
- Connectors : these set of contracts are responsible for the connection between the vault manager and the external protocols, it handles the deposits and withdrawals from the external protocols. They hold the assets and report the value of the assets to the vault manager.
- Omnichain Handler : these smart contracts are responsible for the connection between the vault manager and the external protocols on other chains. It handles the bridging to other chains and communication with those chains through Layer Zero infrastructure.
- Noya Value Oracle : this contract is responsible for calculating the value of the other tokens/positions that the connectors hold. The result is used by accounting manager to calculate the value of the shares.
- Noya Bridge and Swap handler : this contract is responsible for handling the bridging and swaps. We are using LiFi for this purpose but this contract is designed to be able to support other bridges and swaps in the future. Other contracts will be explained in the docs in detail.
- Previous audits: https://docs.noya.ai/audits-and-risk/audits
- Documentation: https://docs.noya.ai
- Website: https://noya.ai/
- X/Twitter: https://twitter.com/NetworkNoya
- Discord: https://discord.com/invite/BGS5qX6fPj
See scope.txt
| File | Logic Contracts | Interfaces | SLOC | Purpose | Libraries used |
|---|---|---|---|---|---|
| /contracts/accountingManager/AccountingManager.sol | 1 | **** | 486 | @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol @openzeppelin/contracts-5.0/token/ERC20/extensions/ERC4626.sol |
|
| /contracts/accountingManager/NoyaFeeReceiver.sol | 1 | **** | 23 | @openzeppelin/contracts-5.0/access/Ownable.sol | |
| /contracts/accountingManager/Registry.sol | 1 | **** | 327 | @openzeppelin/contracts-5.0/access/AccessControl.sol @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol |
|
| /contracts/connectors/AaveConnector.sol | 1 | **** | 75 | ||
| /contracts/connectors/AerodromeConnector.sol | 1 | **** | 107 | ||
| /contracts/connectors/BalancerConnector.sol | 1 | **** | 161 | ||
| /contracts/connectors/BalancerFlashLoan.sol | 1 | **** | 68 | @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol |
|
| /contracts/connectors/CamelotConnector.sol | 1 | **** | 88 | @openzeppelin/contracts-5.0/token/ERC20/IERC20.sol | |
| /contracts/connectors/CompoundConnector.sol | 1 | **** | 86 | ||
| /contracts/connectors/CurveConnector.sol | 1 | **** | 215 | ||
| /contracts/connectors/Dolomite.sol | 1 | **** | 102 | ||
| /contracts/connectors/FraxConnector.sol | 1 | **** | 109 | ||
| /contracts/connectors/GearBoxV3.sol | 1 | **** | 71 | ||
| /contracts/connectors/LidoConnector.sol | 1 | **** | 62 | ||
| /contracts/connectors/MaverickConnector.sol | 1 | **** | 121 | @openzeppelin/contracts-5.0/token/ERC20/IERC20.sol | |
| /contracts/connectors/MorphoBlueConnector.sol | 1 | **** | 103 | ||
| /contracts/connectors/PancakeswapConnector.sol | 1 | **** | 31 | @openzeppelin/contracts-5.0/token/ERC721/IERC721.sol | |
| /contracts/connectors/PendleConnector.sol | 1 | **** | 178 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol | |
| /contracts/connectors/PrismaConnector.sol | 1 | **** | 107 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol | |
| /contracts/connectors/SNXConnector.sol | 1 | **** | 100 | ||
| /contracts/connectors/SiloConnector.sol | 1 | **** | 107 | ||
| /contracts/connectors/StargateConnector.sol | 1 | **** | 94 | ||
| /contracts/connectors/UNIv3Connector.sol | 1 | **** | 105 | ||
| /contracts/governance/Keepers.sol | 1 | **** | 81 | @openzeppelin/contracts-5.0/utils/cryptography/EIP712.sol @openzeppelin/contracts-5.0/access/Ownable2Step.sol @openzeppelin/contracts-5.0/utils/cryptography/ECDSA.sol |
|
| /contracts/governance/NoyaGovernanceBase.sol | 1 | **** | 46 | ||
| /contracts/governance/TimeLock.sol | 1 | **** | 7 | @openzeppelin/contracts-5.0/governance/TimelockController.sol | |
| /contracts/governance/Watchers.sol | 1 | **** | 6 | ||
| /contracts/helpers/BaseConnector.sol | 1 | **** | 175 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol @openzeppelin/contracts-5.0/token/ERC721/utils/ERC721Holder.sol @openzeppelin/contracts-5.0/token/ERC721/IERC721Receiver.sol @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol |
|
| /contracts/helpers/ConnectorMock2.sol | 1 | **** | 71 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol contracts/helpers/SwapHandler/GenericSwapAndBridgeHandler.sol contracts/interface/ITokenTransferCallBack.sol contracts/interface/IConnector.sol contracts/accountingManager/Registry.sol |
|
| /contracts/helpers/LZHelpers/LZHelperReceiver.sol | 1 | **** | 35 | @openzeppelin/contracts-5.0/access/Ownable.sol @layerzerolabs/lz-evm-oapp-v2/contracts/oapp/OApp.sol |
|
| /contracts/helpers/LZHelpers/LZHelperSender.sol | 1 | **** | 40 | @openzeppelin/contracts-5.0/access/Ownable.sol @layerzerolabs/lz-evm-oapp-v2/contracts/oapp/OApp.sol |
|
| /contracts/helpers/OmniChainHandler/OmnichainLogic.sol | 1 | **** | 46 | ||
| /contracts/helpers/OmniChainHandler/OmnichainManagerBaseChain.sol | 1 | **** | 31 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol | |
| /contracts/helpers/OmniChainHandler/OmnichainManagerNormalChain.sol | 1 | **** | 27 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol | |
| /contracts/helpers/SwapHandler/GenericSwapAndBridgeHandler.sol | 1 | **** | 110 | @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol |
|
| /contracts/helpers/SwapHandler/Implementaions/LifiImplementation.sol | 1 | **** | 129 | @openzeppelin/contracts-5.0/access/Ownable2Step.sol @openzeppelin/contracts-5.0/token/ERC20/utils/SafeERC20.sol @openzeppelin/contracts-5.0/utils/ReentrancyGuard.sol |
|
| /contracts/helpers/TVLHelper.sol | 1 | **** | 39 | ||
| /contracts/helpers/valueOracle/NoyaValueOracle.sol | 1 | **** | 80 | @openzeppelin/contracts-5.0/access/Ownable.sol | |
| /contracts/helpers/valueOracle/oracles/ChainlinkOracleConnector.sol | 1 | **** | 89 | @openzeppelin/contracts-5.0/access/Ownable.sol @openzeppelin/contracts-5.0/token/ERC20/extensions/IERC20Metadata.sol |
|
| /contracts/helpers/valueOracle/oracles/UniswapValueOracle.sol | 1 | **** | 51 | @uniswap/v3-core/contracts/interfaces/IUniswapV3Factory.sol @openzeppelin/contracts-5.0/access/Ownable.sol |
|
| /contracts/helpers/valueOracle/oracles/WETH_Oracle.sol | 1 | **** | 10 | ||
| Totals | 41 | **** | 3999 |
See out_of_scope.txt
| File |
|---|
| ./contracts/external/interfaces/Aave/IPool.sol |
| ./contracts/external/interfaces/Aerodrome/IGauge.sol |
| ./contracts/external/interfaces/Aerodrome/IPool.sol |
| ./contracts/external/interfaces/Aerodrome/IRouter.sol |
| ./contracts/external/interfaces/Aerodrome/IVoter.sol |
| ./contracts/external/interfaces/Balancer/IBalancerPool.sol |
| ./contracts/external/interfaces/Balancer/IBalancerVault.sol |
| ./contracts/external/interfaces/Balancer/IFlashLoanRecipient.sol |
| ./contracts/external/interfaces/Camelot/ICamelotFactory.sol |
| ./contracts/external/interfaces/Camelot/ICamelotPair.sol |
| ./contracts/external/interfaces/Camelot/ICamelotRouter.sol |
| ./contracts/external/interfaces/Compound/ICompound.sol |
| ./contracts/external/interfaces/Convex/IBooster.sol |
| ./contracts/external/interfaces/Convex/IConvexBasicRewards.sol |
| ./contracts/external/interfaces/Curve/ICurveSwap.sol |
| ./contracts/external/interfaces/Curve/IRewardsGauge.sol |
| ./contracts/external/interfaces/Dolomite/AccountBalanceHelper.sol |
| ./contracts/external/interfaces/Dolomite/IBorrowPositionProxyV1.sol |
| ./contracts/external/interfaces/Dolomite/IDepositWithdrawalProxy.sol |
| ./contracts/external/interfaces/Dolomite/IDolomiteAMMPair.sol |
| ./contracts/external/interfaces/Dolomite/IDolomiteAmmFactory.sol |
| ./contracts/external/interfaces/Dolomite/IDolomiteMargin.sol |
| ./contracts/external/interfaces/Frax/IFraxPair.sol |
| ./contracts/external/interfaces/Gearbox/ICreditConfiguratorV3.sol |
| ./contracts/external/interfaces/Gearbox/ICreditFacadeV3.sol |
| ./contracts/external/interfaces/Gearbox/ICreditFacadeV3Multicall.sol |
| ./contracts/external/interfaces/Gearbox/ICreditManagerV3.sol |
| ./contracts/external/interfaces/Lido/ILido.sol |
| ./contracts/external/interfaces/Lido/ILidoWithdrawal.sol |
| ./contracts/external/interfaces/Lido/IWETH.sol |
| ./contracts/external/interfaces/Maverick/IMaverickPool.sol |
| ./contracts/external/interfaces/Maverick/IMaverickPosition.sol |
| ./contracts/external/interfaces/Maverick/IMaverickReward.sol |
| ./contracts/external/interfaces/Maverick/IMaverickRouter.sol |
| ./contracts/external/interfaces/Maverick/IPositionInspector.sol |
| ./contracts/external/interfaces/Maverick/IveMAV.sol |
| ./contracts/external/interfaces/Morpho/IIrm.sol |
| ./contracts/external/interfaces/Morpho/IMorpho.sol |
| ./contracts/external/interfaces/Morpho/IOracle.sol |
| ./contracts/external/interfaces/MorphoBlue/IIrm.sol |
| ./contracts/external/interfaces/MorphoBlue/IMorpho.sol |
| ./contracts/external/interfaces/MorphoBlue/IOracle.sol |
| ./contracts/external/interfaces/Pancakeswap/IMasterChefV3.sol |
| ./contracts/external/interfaces/Pendle/IPActionSwapPTV3.sol |
| ./contracts/external/interfaces/Pendle/IPActionSwapYTV3.sol |
| ./contracts/external/interfaces/Pendle/IPAllActionTypeV3.sol |
| ./contracts/external/interfaces/Pendle/IPLimitRouter.sol |
| ./contracts/external/interfaces/Pendle/IPMarket.sol |
| ./contracts/external/interfaces/Pendle/IPPrincipalToken.sol |
| ./contracts/external/interfaces/Pendle/IPPtOracle.sol |
| ./contracts/external/interfaces/Pendle/IPStandardizedYield.sol |
| ./contracts/external/interfaces/Pendle/IPYieldToken.sol |
| ./contracts/external/interfaces/Pendle/IPendleMarketDepositHelper.sol |
| ./contracts/external/interfaces/Pendle/IPendleRouter.sol |
| ./contracts/external/interfaces/Pendle/IPendleStaticRouter.sol |
| ./contracts/external/interfaces/Prisma/IBorrowerOperations.sol |
| ./contracts/external/interfaces/Prisma/IDepositToken.sol |
| ./contracts/external/interfaces/Prisma/IStakeNTroveZap.sol |
| ./contracts/external/interfaces/Prisma/TroveManager/ITroveManager.sol |
| ./contracts/external/interfaces/SNXV3/IV3CoreProxy.sol |
| ./contracts/external/interfaces/Silo/IBaseSilo.sol |
| ./contracts/external/interfaces/Silo/IInterestRateModel.sol |
| ./contracts/external/interfaces/Silo/INotificationReceiver.sol |
| ./contracts/external/interfaces/Silo/IPriceProvider.sol |
| ./contracts/external/interfaces/Silo/IPriceProvidersRepository.sol |
| ./contracts/external/interfaces/Silo/IShareToken.sol |
| ./contracts/external/interfaces/Silo/ISilo.sol |
| ./contracts/external/interfaces/Silo/ISiloRepository.sol |
| ./contracts/external/interfaces/Stargate/IStargateLPStaking.sol |
| ./contracts/external/interfaces/Stargate/IStargateRouter.sol |
| ./contracts/external/interfaces/UNIv3/INonfungiblePositionManager.sol |
| ./contracts/external/interfaces/UNIv3/IUniswapV3Factory.sol |
| ./contracts/external/interfaces/UNIv3/IUniswapV3Pool.sol |
| ./contracts/external/libraries/GearBox/BalancesLogic.sol |
| ./contracts/external/libraries/GearBox/BitMask.sol |
| ./contracts/external/libraries/Morpho/ErrorsLib.sol |
| ./contracts/external/libraries/Morpho/MarketParamsLib.sol |
| ./contracts/external/libraries/Morpho/MathLib.sol |
| ./contracts/external/libraries/Morpho/SharesMathLib.sol |
| ./contracts/external/libraries/Morpho/UtilsLib.sol |
| ./contracts/external/libraries/Morpho/periphery/MorphoLib.sol |
| ./contracts/external/libraries/Morpho/periphery/MorphoStorageLib.sol |
| ./contracts/external/libraries/Pendle/Errors.sol |
| ./contracts/external/libraries/Pendle/IPMarket.sol |
| ./contracts/external/libraries/Pendle/IPPrincipalToken.sol |
| ./contracts/external/libraries/Pendle/IPPtOracle.sol |
| ./contracts/external/libraries/Pendle/IPStandardizedYield.sol |
| ./contracts/external/libraries/Pendle/IPYieldToken.sol |
| ./contracts/external/libraries/Pendle/IPendleMarketDepositHelper.sol |
| ./contracts/external/libraries/Pendle/LogExpMath.sol |
| ./contracts/external/libraries/Pendle/MarketApproxPtInLib.sol |
| ./contracts/external/libraries/Pendle/MarketMathCore.sol |
| ./contracts/external/libraries/Pendle/Math.sol |
| ./contracts/external/libraries/Pendle/MiniHelpers.sol |
| ./contracts/external/libraries/Pendle/PYIndex.sol |
| ./contracts/external/libraries/Pendle/PendleLpOracleLib.sol |
| ./contracts/external/libraries/Pendle/PendlePtOracleLib.sol |
| ./contracts/external/libraries/Pendle/SYUtils.sol |
| ./contracts/external/libraries/Silo/EasyMathV2.sol |
| ./contracts/external/libraries/Silo/SolvencyV2.sol |
| ./contracts/external/libraries/dolomite/Decimal.sol |
| ./contracts/external/libraries/dolomite/Types.sol |
| ./contracts/external/libraries/uniswap/FixedPoint96.sol |
| ./contracts/external/libraries/uniswap/FullMath.sol |
| ./contracts/external/libraries/uniswap/LiquidityAmounts.sol |
| ./contracts/external/libraries/uniswap/OracleLibrary.sol |
| ./contracts/external/libraries/uniswap/PoolAddress.sol |
| ./contracts/external/libraries/uniswap/TickMath.sol |
| ./contracts/interface/Accounting/IAccountingManager.sol |
| ./contracts/interface/IConnector.sol |
| ./contracts/interface/IPositionRegistry.sol |
| ./contracts/interface/ITokenTransferCallBack.sol |
| ./contracts/interface/SwapHandler/ILiFi.sol |
| ./contracts/interface/SwapHandler/ISwapAndBridgeHandler.sol |
| ./contracts/interface/SwapHandler/ISwapAndBridgeImplementation.sol |
| ./contracts/interface/valueOracle/AggregatorV3Interface.sol |
| ./contracts/interface/valueOracle/INoyaValueOracle.sol |
| ./testFoundry/AaveConnector.t.sol |
| ./testFoundry/Aerodrome.t.sol |
| ./testFoundry/BalancerConnector.t.sol |
| ./testFoundry/BaseConnector.t.sol |
| ./testFoundry/CompoundConnector.t.sol |
| ./testFoundry/CurveConnector.t.sol |
| ./testFoundry/Dolomite.t.sol |
| ./testFoundry/FraxConnector.t.sol |
| ./testFoundry/GearBoxV3.t.sol |
| ./testFoundry/LidoConnector.t.sol |
| ./testFoundry/MaverickConnector.t.sol |
| ./testFoundry/MorphoBlue.t.sol |
| ./testFoundry/PancakeswapConnector.t.sol |
| ./testFoundry/PendleConnector.t.sol |
| ./testFoundry/PrismaConnector.t.sol |
| ./testFoundry/SNXConnector.t.sol |
| ./testFoundry/SiloConnector.t.sol |
| ./testFoundry/SiloFlashLoan.t.sol |
| ./testFoundry/StargateConnector.t.sol |
| ./testFoundry/TestAccounting.sol |
| ./testFoundry/TestFlashLoan.sol |
| ./testFoundry/UNIv3Connector.t.sol |
| ./testFoundry/testAccountingBranches.sol |
| ./testFoundry/testLifi.sol |
| ./testFoundry/testOmnichain.t.sol |
| ./testFoundry/testOracle.sol |
| ./testFoundry/testRegistry.sol |
| ./testFoundry/testSwapETH.sol |
| ./testFoundry/testSwapHandler.sol |
| ./testFoundry/utils/mocks/ConnectorMock.sol |
| ./testFoundry/utils/mocks/ConnectorMock2.sol |
| ./testFoundry/utils/mocks/EmergancyMock.sol |
| ./testFoundry/utils/mocks/IDiamondCut.sol |
| ./testFoundry/utils/mocks/IrmMock.sol |
| ./testFoundry/utils/mocks/LZEndpointMock.sol |
| ./testFoundry/utils/mocks/MockDataFeed.sol |
| ./testFoundry/utils/mocks/MockDataFeedForMorphoBlue.sol |
| ./testFoundry/utils/mocks/bridgeImplementationMock.sol |
| ./testFoundry/utils/mocks/lifiDiamondMock.sol |
| ./testFoundry/utils/resources/ArbitrumAddresses.sol |
| ./testFoundry/utils/resources/BaseAddresses.sol |
| ./testFoundry/utils/resources/BinanceSmartChainAddresses.sol |
| ./testFoundry/utils/resources/MainnetAddresses.sol |
| ./testFoundry/utils/resources/OptimismAddresses.sol |
| ./testFoundry/utils/resources/PolygonAddresses.sol |
| ./testFoundry/utils/testStarter.sol |
| Totals: 163 |
| Question | Answer |
|---|---|
| ERC20 used by the protocol | Any |
| Test coverage | 90.2% |
| ERC721 used by the protocol | Yes, uniswap non fungible positions |
| ERC777 used by the protocol | No |
| ERC1155 used by the protocol | No |
| Chains the protocol will be deployed on | Ethereum,Arbitrum,Base,BSC,Optimism,Polygon,zkSync,Other,Avaxpolygon zkevm |
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
| Question | Answer |
|---|---|
| src/governance/Keepers.sol | EIP712 |
| src/accountingManager/AccountingManager.sol | ERC4626 |
https://docs.google.com/document/d/1TRYK3Vpr6VsI9B3QLEiGQR-E-NAmTd3tHfwj8eWHf64/edit
Integrity of the connectors interactions with the protocols (can we deposit and withdraw correctly) Fee mechanisms of noya
| Role | Description |
|---|---|
| Governor | This is a timelock smart contract that is responsible for changing the addresses of others. |
| Maintainer | This smart contract is in charge of adding a new vault, adding trusted tokens for that vault, and adding trusted positions to the registry. |
| Keepers | This is the smart contract that manages execution of the strategies. It’s a multisig contract. Strategy managers can submit their transactions into IPFS in an encrypted way and the keepers will decrypt and execute it. |
| watchers | This smart contract is responsible to make sure the execution of noya is going on correctly. If there is any misbehaving (like price manipulation or any suspicious actions from the keepers) the watchers and undo the action. |
| emergency | This address is also a cold wallet that is going to be used in situations that a position is stuck or another role of noya is compromised. |
git clone --recurse https://github.com/code-423n4/2024-04-noya.git
cd 2024-04-noya
yarn install
forge build
forge test
# To compare gas usage
forge snapshot --diff .gas-snapshot-init
# To generate lcov file
sh coverage.sh
# See slither.txt
slither . --foundry-out-directory artifactsFoundry- Coverage report:
Employees of NOYA and employees' family members are ineligible to participate in this audit.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent